MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
SHA3-384 hash: 722e38db6013acb6c6441fabca31112b65fcb181172c394ebf747b6b6b2d86c4211a992fec22f2765556753d9f890c52
SHA1 hash: 7be4c7bac4cc37cae9138ff8896ae36b31d2eac0
MD5 hash: c5fecdf6aab18eaee292d2baf72a0b27
humanhash: high-quiet-red-magnesium
File name:file
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:352'256 bytes
First seen:2023-07-25 12:55:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c187c5419584098cd104bb53d369d28 (5 x RedLineStealer, 1 x MarsStealer, 1 x Stealc)
ssdeep 6144:hCWHghjInKY0La3wK9RihVydQfwu3Mta+LGmmCPR:UWA5IKQP9RAitaKv
Threatray 192 similar samples on MalwareBazaar
TLSH T1B474F12272D0D073E0A796305930C6A13A77B8626B74D5CF33942B7E1E60BD1AB76397
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0ddd0d5d9d2dd (1 x RedLineStealer)
Reporter andretavare5
Tags:exe RedLineStealer


Avatar
andretavare5
Sample downloaded from http://95.214.25.207:3002/file.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-07-25 12:57:31 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/0012f728-26c5-448c-b722-fd7c2a6c3974

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432173/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19214.19474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64bfc6652c2ccb7094471524/reports/7fc7efd0-d9f4-48c8-80bc-792645db528e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8c7bf48-01d3-4fb0-94fc-b2d715cc87e5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279149
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Schedule binary from dotnet directory
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279149 Sample: file.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 82 Snort IDS alert for network traffic 2->82 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 8 other signatures 2->88 9 file.exe 15 7 2->9         started        14 AppLaunch.exe 2->14         started        16 MTA1.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 66 51.89.201.49, 49697, 6932 OVHFR France 9->66 68 transfer.sh 144.76.136.153, 443, 49698, 49699 HETZNER-ASDE Germany 9->68 56 C:\Users\user\AppData\Local\...\filename.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\Temp\1name.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->60 dropped 96 Detected unpacking (changes PE section rights) 9->96 98 Detected unpacking (overwrites its own PE header) 9->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->100 102 2 other signatures 9->102 20 filename.exe 1 9->20         started        23 1name.exe 14 67 9->23         started        file5 signatures6 process7 dnsIp8 90 Multi AV Scanner detection for dropped file 20->90 26 AppLaunch.exe 2 26 20->26         started        31 WerFault.exe 24 9 20->31         started        33 conhost.exe 20->33         started        64 127.0.0.1 unknown unknown 23->64 92 Machine Learning detection for dropped file 23->92 94 Tries to harvest and steal browser information (history, passwords, etc) 23->94 35 chrome.exe 23->35         started        signatures9 process10 dnsIp11 70 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 26->70 72 185.159.129.168, 80 ITOS-ASRU Russian Federation 26->72 74 5 other IPs or domains 26->74 62 C:\ProgramData\...\MTA1.exe, PE32 26->62 dropped 104 Suspicious powershell command line found 26->104 106 Creates an autostart registry key pointing to binary in C:\Windows 26->106 108 Uses schtasks.exe or at.exe to add and modify task schedules 26->108 110 Adds a directory exclusion to Windows Defender 26->110 37 powershell.exe 26->37         started        39 schtasks.exe 26->39         started        41 powershell.exe 26->41         started        43 schtasks.exe 26->43         started        45 chrome.exe 35->45         started        file12 signatures13 process14 dnsIp15 48 conhost.exe 37->48         started        50 conhost.exe 39->50         started        52 conhost.exe 41->52         started        54 conhost.exe 43->54         started        76 www.google.com 172.217.168.4, 443, 49715, 49716 GOOGLEUS United States 45->76 78 plus.l.google.com 216.58.215.238, 443, 49721 GOOGLEUS United States 45->78 80 apis.google.com 45->80 process16
Detection:
redline
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a/
Threat name:
Win32.Ransomware.Djvu
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 12:56:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=45goxuiu6bxup3nkc4pzcshoz4k7kcgqleu6eeudf22exe664v5a._file
Verdict:
malicious
Similar samples:
11878766a2a00d5bbc7774f4697c78d29fbd54293ca264eabf208691f85bbd14
RedLineStealer
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
RedLineStealer
21555a064acdc892c3982e3dcd7244f94737297b675284b0256c28c16011fdad
RedLineStealer
3585046470ceeba22fea4a341e6a1b8998d43b4a0a53450747ee361c0c56f770
RedLineStealer
41eb10298ecda748977837bf1c15ff97cf47c0317b78257863e4983f66ebd011
RedLineStealer
64365156896ff3b41790a7b0dd38bf1efb985a4e5e35135883b34ea69a85b508
RedLineStealer
c17f2f54fc2cefba56ff8d26c44fd63d71a015ee621aead29b7ca9bb7a0cb856
RedLineStealer
cfb31b24488df4fe68b547bc9a28f994e67191749f8c76dc07a6f25f48475287
RedLineStealer
eed4aae9bac8170a1629ffc3176a04f0ea9e58de8cb295a1332952b6afb3cf46
RedLineStealer
f46b5b289501e88dc89c7d8daf37156459bcacebceaff3af7718190384546dbd
RedLineStealer
+ 182 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:logsdiller cloud (telegram: @logsdillabot) discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230725-p6cslsce68/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
RedLine
Malware Config
C2 Extraction:
51.89.201.49:6932
Unpacked files
SH256 hash:
f5d6462a2d94739de88ed00f6235a8b6297ed69f276c1b1b5eac019ffd76832c
MD5 hash:
414f2bd73f5fa592f629ca2583986212
SHA1 hash:
bdd104e676335baa9ade66f3d0bc6c3c02ee7efd
Link:
https://www.unpac.me/results/714184b3-0c8b-48c1-9c90-1a0a88fc48ab/
SH256 hash:
5d1835b7abe9635775381d92c69be21a845302b59627c983231637b0e03cf083
MD5 hash:
905f316e5faf8833fbfffb9624b33a7a
SHA1 hash:
5768ff57e4c51c2000018642142518ec91fdd976
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/714184b3-0c8b-48c1-9c90-1a0a88fc48ab/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
8a9b739843085c75a03fdad6bf64ee1b62b119f0ad1f0ded8b5e881ea6a9e4b0
MD5 hash:
0f11f1777a3880c7f24b2071c79be591
SHA1 hash:
5711544dbf93cbccfee2c43ab1bf71f455122ecb
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/714184b3-0c8b-48c1-9c90-1a0a88fc48ab/
Parent samples :
14b35e6e0894fbfbfc265b48fc6d8f9c63dd4a382f73447b8f7b0b7ef19e18b6
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
854686fe7733b66f0cb1fd49714e5126413f200bd8fe7c7dcc4e900e808a30cc
3122024e38f6769ed308f951822fb89eea84c3fe13fdc8a7397f6bfabe3d0d28
f4d613761f025e646a9adeea89975989bd817d0280d05fc45e61301bfaa43688
fd613ccfdd3bb9ab2009d07d3df55827dbd67bd6e5b5574924fba1e6940a404c
6295a983138ab0f8503d3f81992d3214115728986a3f42f14dbf4f2808852933
d5f1a77bf8d84cf38a76a3a077e7d0cdbdb8f436392ec8742f7463c0f8067362
92cdd03295523d1f0b5fdf13489745137a8000a34657dd1316b716a8b52b5b4e
f24b3812d45263f6998aa5e2edfd61f5919d81a6916c52e7d4d0d1c53a050afe
db40827d851730dff5a1019430f6364fa76cec8fecad2bf76d2d78ab2102f672
6576a9cae4aa29df3f1a64c991edf760b5049d46b9f8c04a746afab4c75b2461
156f8a01373f5c86d414a9597835bbd998092c5408ff2bdcfdabc93e7394d536
2432fd8a398d21a7e5cdd1db1bc5b3d57619b3f1fb834f44d61bacae350a7f8e
5570374655d68b8a1e42aa5aa5b4a63367a7919c352b5aa1c8c4049034425205
f6dd9fd0185041228855ea83680f9ab6c96dc9bf63da4ac5dce9260ae2af00e3
90a64173b3e6a9bc6d76975b4b566ad2a1ed2e7530c90a142b4d19914141cd20
faa536c84fe0357e13c3464114b7cc417cf91ed91ea29da648924b17335269ee
e0b1ee6c4cbf7cef3f99179f852d08088cd8d0b47ea3af9c1b4bab543d895adc
469d1c9d8249dd25b4f09291a612e3e1534053a29e8b8cdc40974b2f8b866563
31b442766d69f7e989e3839c60b3d0792745ce2e97461495559d3082f5b0607c
5c249d73d8a1451c87291303f8568f8602ee6c9eaeeeaf304e484d00e0a00fa9
b805ee9e91c4716831f7f44ab17a2e58ec9f90c73be93cf7468fee62edcbc2d7
e0193765c9e157028a992d2c76b8d3b717cc4390ddb4d6a972351ec9d39981e9
0eb8836fbbec229856e5b8ec0703cf55b38c2c94fd1719b994fa23cc8a1b7ab1
e58b5a3526a5b42be36a7cdf94d17035f76df9fed7db09d3982330a61986f7d8
c9d61842904c94a0a518478b2e9a81814b1bac45579d077bb4d5e628a9556d19
0aeabd2cce82133225f93a32f88d3a1ac58b149f1b897d7467fcfbd02369330e
e4e4ba94f26c1684ca0d8815d9f20b81e3c7000a88729a460f688ef405995161
c4dd212e80e44d05c45658aa172cf438abd791e89096f1b512fd67684951b0a0
9b400556890eb898227a06f91838ff0edf22c19a5f06d5f99181c7da2c45ea07
37de802ee7fb89ecbaef5175ea96747b7d429e92621cc236ee461cd6f084799b
SH256 hash:
f9dd467756989b972f91b74dd3d8a46177a487a466cd46ee295957b8f46160ab
MD5 hash:
da7faeda88e9104f5fde519966dab3d1
SHA1 hash:
46c0be2aef08a87e006807fddaed9da52e14ef7e
Link:
https://www.unpac.me/results/714184b3-0c8b-48c1-9c90-1a0a88fc48ab/
SH256 hash:
e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a
MD5 hash:
c5fecdf6aab18eaee292d2baf72a0b27
SHA1 hash:
7be4c7bac4cc37cae9138ff8896ae36b31d2eac0
Link:
https://www.unpac.me/results/714184b3-0c8b-48c1-9c90-1a0a88fc48ab/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e74cebd114f0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e74cebd114f06f47edaa171f9148eecf15f508d05929e212832eb44b93dee57a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2688389/
Cape
Cape
https://www.capesandbox.com/analysis/432173/
  
URLhaus
https://urlhaus.abuse.ch/url/2689675/

Comments